But is this an unconstraint root, or does it use name constraints to limit it to localhost domains/IPs? And how does it handle/store the private key associated with that root?
What's your threat model here? The way this works is that on your development machine, localias (through caddy/mkcert) generates a root cert and the per-site certs and installs them to your development machine's trust store. All of the certs live entirely on your device and never leave. You have full control over them and can remove them at any time.
The certs and keys live in the localias application state directory on your machine:
The whole nicety of localias is that you can create ___domain aliases for any ___domain you can think of, not just ".localhost". For instance, on my machine right now, the aliases are:
